Tax season is a prime opportunity for cybercriminals to steal identities and money from individuals and businesses. As time goes by, the strategies become more sophisticated; therefore special caution is required.
“Cybercriminals can set up a phishing campaign themselves and target the entire population because everyone has to file taxes at the same time,” warns cybersecurity expert David Ferland, Fortinet’s director of engineering for Eastern Canada.
Now that tax returns have been sent out, tax refund season has begun and this is the time when fraudulent calls, emails and text messages are the most common. Even on social networks like Messenger or WhatsApp, you can see fraudulent messages identified with Revenu Québec or the Canada Revenue Agency (CRA).
“Individuals and businesses are equally at risk. Those under 25 and those over 60 are more vulnerable, as cybercriminals believe that these individuals may be less knowledgeable about tax policy and therefore more vulnerable to emotional manipulation,” notes Ferland.
According to the Canadian Anti-Fraud Center (CAFC), the main scam is to trick people into believing that a benefit or amount of money is available after a tax return audit. In other cases, criminals play on a sense of urgency to persuade their victims to take action. For example, they will pretend that a tax deadline has passed and that serious consequences could follow. You will be prompted to click a link or enter information.
Businesses are also at risk
In companies, victims are well targeted, as cybercriminals have cross-checked information from the dark web or from social media and the internet. This allows them to write posts that sound very believable. Gradually, they trick an employee into revealing important information such as passwords or access to bank accounts.
“Social engineering is now being combined with hacking techniques and the proliferation of malware such as ransomware to carry out increasingly destructive attacks,” warns David Ferland.
How can you protect yourself?
“Be careful if you receive a notice that appears to be from the Canadian Internal Revenue Service. For both individuals and companies, people are the weakest link in cybersecurity,” recalls the Fortinet expert.
Please note that the CRA will never use text messages or instant messaging such as Messenger to start a conversation about taxes, benefits or your case, nor will it use these means of communication to solicit information from you. Also, no emails will be sent with a link to a page that asks you to provide personal or financial information. The agency does not require payment by prepaid credit card or gift card. It does not require or pay out Bitcoin payments. She makes no threats.
If the CRA needs to call you, they’ve written you beforehand if you owe taxes or money for a government program or haven’t filed your tax return yet, or if they have questions about documents you sent. When in doubt, call the agency before sharing information and if you notice any suspicious communications, report them to the Canadian Anti-Fraud Centre.
In 2022, more than 1,000 CRA-related reports were reported to the CAFC, but we know that many cases of fraud and attempted fraud are never reported.
Examples of fraudulent messages:
Phone:
A call to notify you that a federal tax evasion criminal case has been filed against you. We invite you to urgently call the Revenue Agency to find out more, under penalty of legal action, and we will provide you with a number to call you back.
E-mail:
INTERAC e-Transfer reminder: “You have received funds from CRA.” The transfer, which shows a specific amount, looks believable and prompts you to click a link to deposit your funds. The CRA never sends money via Interac e-Transfer.
Or
A message with the Canadian government logo informs you that the CRA cannot reimburse you for a certain amount because the information does not match. You will be prompted to verify information by clicking on an “ARC Account” button.
Text message:
You will be informed that you are entitled to a tax refund and prompted to click on a link.